pip Regression Fix: urllib3 Decompression DoS Vulnerability Patched
Ubuntu released USN-8344-3 to address a regression introduced in the previous pip security update, while fully resolving a critical urllib3 streaming decompression vulnerability. The flaw could allow remote attackers to trigger denial-of-service conditions through resource exhaustion.
TL;DR
- USN-8344-1 pip update introduced a regression now fixed in USN-8344-3
- Root cause: urllib3 library improperly handled streaming decompression of highly compressed data
- Remote attackers could exploit the flaw to cause excessive resource consumption and DoS
- CVE-2025-66471 affects pip's bundled urllib3 library
- Ubuntu users should apply the complete fix immediately
Ubuntu released security update USN-8344-3 to resolve both a regression introduced in the previous pip patch and the underlying urllib3 vulnerability it was meant to address. The original advisory identified a critical flaw in pip's bundled urllib3 library that improperly handled streaming decompression of highly compressed data, creating a denial-of-service vector.
The vulnerability allows remote attackers to craft malicious compressed payloads that force pip to consume excessive system resources, potentially rendering affected systems unresponsive. This update provides a complete remediation, ensuring both the original vulnerability and the regression from USN-8344-1 are fully resolved.
Development teams relying on pip for package management should prioritize applying this update to maintain secure dependency resolution workflows.
Vulnerability Details
- CVE-2025-66471 affects urllib3 library bundled with pip
- Improper handling of streaming decompression in highly compressed data
- Remote attackers can trigger excessive resource consumption
- Denial-of-service condition possible without authentication
- Affects pip's ability to safely download and decompress packages
Update and Remediation
- USN-8344-1 introduced a regression requiring immediate follow-up patch
- USN-8344-3 provides complete fix for both regression and original vulnerability
- Ubuntu users should apply the update to all affected systems
- Recommended for development environments and CI/CD pipelines using pip
- No workarounds available; patching is the only mitigation
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.